Upsert many entities in Entity Store

PUT /api/entity_store/entities/bulk

Spaces method and path for this operation:

put /s/{space_id}/api/entity_store/entities/bulk

Refer to Spaces for more information.

Update or create many entities in Entity Store. If the specified entity already exists, it is updated with the provided values. If the entity does not exist, a new one is created. The creation is asynchronous. The time for a document to be present in the final index depends on the entity store transform and usually takes more than 1 minute.

Query parameters

force boolean

Default value is false.

application/json

Body Required

Schema for the updating many entities

entities array[object] Required
Hide entities attributes Show entities attributes object
- record object Required
  
  One of:
  Security_Entity_Analytics_API_UserEntity object Security_Entity_Analytics_API_HostEntity object Security_Entity_Analytics_API_ServiceEntity object Security_Entity_Analytics_API_GenericEntity object
  
  Hide attributes Show attributes
  
  @timestamp string(date-time)
  
  asset object
  
  Additional properties are NOT allowed.
  
  Hide asset attributes Show asset attributes object
  
  business_unit string
  
  criticality string
  
  The criticality level of the asset.
  
  Values are low_impact, medium_impact, high_impact, or extreme_impact.
  
  environment string
  
  id string
  
  model string
  
  name string
  
  owner string
  
  serial_number string
  
  vendor string
  
  entity object Required
  
  Additional properties are NOT allowed.
  
  Hide entity attributes Show entity attributes object
  
  attributes object
  
  Additional properties are NOT allowed.
  
  Hide attributes attributes Show attributes attributes object
  
  asset boolean
  
  managed boolean
  
  mfa_enabled boolean
  
  privileged boolean
  
  behaviors object
  
  Additional properties are NOT allowed.
  
  Hide behaviors attributes Show behaviors attributes object
  
  brute_force_victim boolean
  
  new_country_login boolean
  
  used_usb_device boolean
  
  EngineMetadata object
  
  Additional properties are NOT allowed.
  
  Hide EngineMetadata attribute Show EngineMetadata attribute object
  
  Type string Required
  
  id string Required
  
  lifecycle object
  
  Additional properties are NOT allowed.
  
  Hide lifecycle attributes Show lifecycle attributes object
  
  first_seen string(date-time)
  
  last_activity string(date-time)
  
  name string
  
  relationships object
  
  Additional properties are NOT allowed.
  
  Hide relationships attributes Show relationships attributes object
  
  accessed_frequently_by array[string]
  
  accesses_frequently array[string]
  
  communicates_with array[string]
  
  dependent_of array[string]
  
  depends_on array[string]
  
  owned_by array[string]
  
  owns array[string]
  
  supervised_by array[string]
  
  supervises array[string]
  
  risk object
  
  Additional properties are NOT allowed.
  
  Hide risk attributes Show risk attributes object
  
  calculated_level string
  
  Values are Unknown, Low, Moderate, High, or Critical.
  
  calculated_score number(double)
  
  The raw numeric value of the given entity's risk score.
  
  calculated_score_norm number(double)
  
  The normalized numeric value of the given entity's risk score. Useful for comparing with other entities.
  
  Minimum value is 0, maximum value is 100.
  
  source string
  
  sub_type string
  
  type string
  
  event object
  
  Additional properties are NOT allowed.
  
  Hide event attribute Show event attribute object
  
  ingested string(date-time)
  
  user object
  
  Additional properties are NOT allowed.
  
  Hide user attributes Show user attributes object
  
  domain array[string]
  
  email array[string]
  
  full_name array[string]
  
  hash array[string]
  
  id array[string]
  
  name string Required
  
  risk object
  
  Hide risk attributes Show risk attributes object
  
  @timestamp string(date-time) Required
  
  The time at which the risk score was calculated.
  
  calculated_level string Required
  
  Values are Unknown, Low, Moderate, High, or Critical.
  
  calculated_score number(double) Required
  
  The raw numeric value of the given entity's risk score.
  
  calculated_score_norm number(double) Required
  
  The normalized numeric value of the given entity's risk score. Useful for comparing with other entities.
  
  Minimum value is 0, maximum value is 100.
  
  category_1_count integer Required
  
  The number of risk input documents that contributed to the Category 1 score (category_1_score).
  
  category_1_score number(double) Required
  
  The contribution of Category 1 to the overall risk score (calculated_score). Category 1 contains Detection Engine Alerts.
  
  category_2_count integer
  
  category_2_score number(double)
  
  category_3_count integer
  
  category_3_score number(double)
  
  criticality_level string
  
  The criticality level of the asset.
  
  Values are low_impact, medium_impact, high_impact, or extreme_impact.
  
  criticality_modifier number(double)
  
  id_field string Required
  
  The identifier field defining this risk score. Coupled with id_value, uniquely identifies the entity being scored.
  
  id_value string Required
  
  The identifier value defining this risk score. Coupled with id_field, uniquely identifies the entity being scored.
  
  inputs array[object] Required
  
  A list of the highest-risk documents contributing to this risk score. Useful for investigative purposes.
  
  A generic representation of a document contributing to a Risk Score.
  
  Hide inputs attributes Show inputs attributes object
  
  category string Required
  
  The risk category of the risk input document.
  
  contribution_score number(double)
  
  description string Required
  
  A human-readable description of the risk input document.
  
  id string Required
  
  The unique identifier (_id) of the original source document
  
  index string Required
  
  The unique index (_index) of the original source document
  
  risk_score number(double)
  
  The weighted risk score of the risk input document.
  
  Minimum value is 0, maximum value is 100.
  
  timestamp string
  
  The @timestamp of the risk input document.
  
  is_privileged_user boolean
  
  notes array[string] Required
  
  privileged_user_modifier number(double)
  
  roles array[string]
  
  Hide attributes Show attributes
  
  @timestamp string(date-time)
  
  asset object
  
  Additional properties are NOT allowed.
  
  Hide asset attributes Show asset attributes object
  
  business_unit string
  
  criticality string
  
  The criticality level of the asset.
  
  Values are low_impact, medium_impact, high_impact, or extreme_impact.
  
  environment string
  
  id string
  
  model string
  
  name string
  
  owner string
  
  serial_number string
  
  vendor string
  
  entity object Required
  
  Additional properties are NOT allowed.
  
  Hide entity attributes Show entity attributes object
  
  attributes object
  
  Additional properties are NOT allowed.
  
  Hide attributes attributes Show attributes attributes object
  
  asset boolean
  
  managed boolean
  
  mfa_enabled boolean
  
  privileged boolean
  
  behaviors object
  
  Additional properties are NOT allowed.
  
  Hide behaviors attributes Show behaviors attributes object
  
  brute_force_victim boolean
  
  new_country_login boolean
  
  used_usb_device boolean
  
  EngineMetadata object
  
  Additional properties are NOT allowed.
  
  Hide EngineMetadata attribute Show EngineMetadata attribute object
  
  Type string Required
  
  id string Required
  
  lifecycle object
  
  Additional properties are NOT allowed.
  
  Hide lifecycle attributes Show lifecycle attributes object
  
  first_seen string(date-time)
  
  last_activity string(date-time)
  
  name string
  
  relationships object
  
  Additional properties are NOT allowed.
  
  Hide relationships attributes Show relationships attributes object
  
  accessed_frequently_by array[string]
  
  accesses_frequently array[string]
  
  communicates_with array[string]
  
  dependent_of array[string]
  
  depends_on array[string]
  
  owned_by array[string]
  
  owns array[string]
  
  supervised_by array[string]
  
  supervises array[string]
  
  risk object
  
  Additional properties are NOT allowed.
  
  Hide risk attributes Show risk attributes object
  
  calculated_level string
  
  Values are Unknown, Low, Moderate, High, or Critical.
  
  calculated_score number(double)
  
  The raw numeric value of the given entity's risk score.
  
  calculated_score_norm number(double)
  
  The normalized numeric value of the given entity's risk score. Useful for comparing with other entities.
  
  Minimum value is 0, maximum value is 100.
  
  source string
  
  sub_type string
  
  type string
  
  event object
  
  Additional properties are NOT allowed.
  
  Hide event attribute Show event attribute object
  
  ingested string(date-time)
  
  host object
  
  Additional properties are NOT allowed.
  
  Hide host attributes Show host attributes object
  
  architecture array[string]
  
  domain array[string]
  
  entity object
  
  Additional properties are NOT allowed.
  
  Hide entity attributes Show entity attributes object
  
  attributes object
  
  Additional properties are NOT allowed.
  
  Hide attributes attributes Show attributes attributes object
  
  asset boolean
  
  managed boolean
  
  mfa_enabled boolean
  
  privileged boolean
  
  behaviors object
  
  Additional properties are NOT allowed.
  
  Hide behaviors attributes Show behaviors attributes object
  
  brute_force_victim boolean
  
  new_country_login boolean
  
  used_usb_device boolean
  
  EngineMetadata object
  
  Additional properties are NOT allowed.
  
  Hide EngineMetadata attribute Show EngineMetadata attribute object
  
  Type string Required
  
  id string Required
  
  lifecycle object
  
  Additional properties are NOT allowed.
  
  Hide lifecycle attributes Show lifecycle attributes object
  
  first_seen string(date-time)
  
  last_activity string(date-time)
  
  name string
  
  relationships object
  
  Additional properties are NOT allowed.
  
  Hide relationships attributes Show relationships attributes object
  
  accessed_frequently_by array[string]
  
  accesses_frequently array[string]
  
  communicates_with array[string]
  
  dependent_of array[string]
  
  depends_on array[string]
  
  owned_by array[string]
  
  owns array[string]
  
  supervised_by array[string]
  
  supervises array[string]
  
  risk object
  
  Additional properties are NOT allowed.
  
  Hide risk attributes Show risk attributes object
  
  calculated_level string
  
  Values are Unknown, Low, Moderate, High, or Critical.
  
  calculated_score number(double)
  
  The raw numeric value of the given entity's risk score.
  
  calculated_score_norm number(double)
  
  The normalized numeric value of the given entity's risk score. Useful for comparing with other entities.
  
  Minimum value is 0, maximum value is 100.
  
  source string
  
  sub_type string
  
  type string
  
  hostname array[string]
  
  id array[string]
  
  ip array[string]
  
  mac array[string]
  
  name string Required
  
  risk object
  
  Hide risk attributes Show risk attributes object
  
  @timestamp string(date-time) Required
  
  The time at which the risk score was calculated.
  
  calculated_level string Required
  
  Values are Unknown, Low, Moderate, High, or Critical.
  
  calculated_score number(double) Required
  
  The raw numeric value of the given entity's risk score.
  
  calculated_score_norm number(double) Required
  
  The normalized numeric value of the given entity's risk score. Useful for comparing with other entities.
  
  Minimum value is 0, maximum value is 100.
  
  category_1_count integer Required
  
  The number of risk input documents that contributed to the Category 1 score (category_1_score).
  
  category_1_score number(double) Required
  
  The contribution of Category 1 to the overall risk score (calculated_score). Category 1 contains Detection Engine Alerts.
  
  category_2_count integer
  
  category_2_score number(double)
  
  category_3_count integer
  
  category_3_score number(double)
  
  criticality_level string
  
  The criticality level of the asset.
  
  Values are low_impact, medium_impact, high_impact, or extreme_impact.
  
  criticality_modifier number(double)
  
  id_field string Required
  
  The identifier field defining this risk score. Coupled with id_value, uniquely identifies the entity being scored.
  
  id_value string Required
  
  The identifier value defining this risk score. Coupled with id_field, uniquely identifies the entity being scored.
  
  inputs array[object] Required
  
  A list of the highest-risk documents contributing to this risk score. Useful for investigative purposes.
  
  A generic representation of a document contributing to a Risk Score.
  
  Hide inputs attributes Show inputs attributes object
  
  category string Required
  
  The risk category of the risk input document.
  
  contribution_score number(double)
  
  description string Required
  
  A human-readable description of the risk input document.
  
  id string Required
  
  The unique identifier (_id) of the original source document
  
  index string Required
  
  The unique index (_index) of the original source document
  
  risk_score number(double)
  
  The weighted risk score of the risk input document.
  
  Minimum value is 0, maximum value is 100.
  
  timestamp string
  
  The @timestamp of the risk input document.
  
  is_privileged_user boolean
  
  notes array[string] Required
  
  privileged_user_modifier number(double)
  
  type array[string]
  
  Hide attributes Show attributes
  
  @timestamp string(date-time)
  
  asset object
  
  Additional properties are NOT allowed.
  
  Hide asset attributes Show asset attributes object
  
  business_unit string
  
  criticality string
  
  The criticality level of the asset.
  
  Values are low_impact, medium_impact, high_impact, or extreme_impact.
  
  environment string
  
  id string
  
  model string
  
  name string
  
  owner string
  
  serial_number string
  
  vendor string
  
  entity object Required
  
  Additional properties are NOT allowed.
  
  Hide entity attributes Show entity attributes object
  
  attributes object
  
  Additional properties are NOT allowed.
  
  Hide attributes attributes Show attributes attributes object
  
  asset boolean
  
  managed boolean
  
  mfa_enabled boolean
  
  privileged boolean
  
  behaviors object
  
  Additional properties are NOT allowed.
  
  Hide behaviors attributes Show behaviors attributes object
  
  brute_force_victim boolean
  
  new_country_login boolean
  
  used_usb_device boolean
  
  EngineMetadata object
  
  Additional properties are NOT allowed.
  
  Hide EngineMetadata attribute Show EngineMetadata attribute object
  
  Type string Required
  
  id string Required
  
  lifecycle object
  
  Additional properties are NOT allowed.
  
  Hide lifecycle attributes Show lifecycle attributes object
  
  first_seen string(date-time)
  
  last_activity string(date-time)
  
  name string
  
  relationships object
  
  Additional properties are NOT allowed.
  
  Hide relationships attributes Show relationships attributes object
  
  accessed_frequently_by array[string]
  
  accesses_frequently array[string]
  
  communicates_with array[string]
  
  dependent_of array[string]
  
  depends_on array[string]
  
  owned_by array[string]
  
  owns array[string]
  
  supervised_by array[string]
  
  supervises array[string]
  
  risk object
  
  Additional properties are NOT allowed.
  
  Hide risk attributes Show risk attributes object
  
  calculated_level string
  
  Values are Unknown, Low, Moderate, High, or Critical.
  
  calculated_score number(double)
  
  The raw numeric value of the given entity's risk score.
  
  calculated_score_norm number(double)
  
  The normalized numeric value of the given entity's risk score. Useful for comparing with other entities.
  
  Minimum value is 0, maximum value is 100.
  
  source string
  
  sub_type string
  
  type string
  
  event object
  
  Additional properties are NOT allowed.
  
  Hide event attribute Show event attribute object
  
  ingested string(date-time)
  
  service object
  
  Additional properties are NOT allowed.
  
  Hide service attributes Show service attributes object
  
  entity object
  
  Additional properties are NOT allowed.
  
  Hide entity attributes Show entity attributes object
  
  attributes object
  
  Additional properties are NOT allowed.
  
  Hide attributes attributes Show attributes attributes object
  
  asset boolean
  
  managed boolean
  
  mfa_enabled boolean
  
  privileged boolean
  
  behaviors object
  
  Additional properties are NOT allowed.
  
  Hide behaviors attributes Show behaviors attributes object
  
  brute_force_victim boolean
  
  new_country_login boolean
  
  used_usb_device boolean
  
  EngineMetadata object
  
  Additional properties are NOT allowed.
  
  Hide EngineMetadata attribute Show EngineMetadata attribute object
  
  Type string Required
  
  id string Required
  
  lifecycle object
  
  Additional properties are NOT allowed.
  
  Hide lifecycle attributes Show lifecycle attributes object
  
  first_seen string(date-time)
  
  last_activity string(date-time)
  
  name string
  
  relationships object
  
  Additional properties are NOT allowed.
  
  Hide relationships attributes Show relationships attributes object
  
  accessed_frequently_by array[string]
  
  accesses_frequently array[string]
  
  communicates_with array[string]
  
  dependent_of array[string]
  
  depends_on array[string]
  
  owned_by array[string]
  
  owns array[string]
  
  supervised_by array[string]
  
  supervises array[string]
  
  risk object
  
  Additional properties are NOT allowed.
  
  Hide risk attributes Show risk attributes object
  
  calculated_level string
  
  Values are Unknown, Low, Moderate, High, or Critical.
  
  calculated_score number(double)
  
  The raw numeric value of the given entity's risk score.
  
  calculated_score_norm number(double)
  
  The normalized numeric value of the given entity's risk score. Useful for comparing with other entities.
  
  Minimum value is 0, maximum value is 100.
  
  source string
  
  sub_type string
  
  type string
  
  name string Required
  
  risk object
  
  Hide risk attributes Show risk attributes object
  
  @timestamp string(date-time) Required
  
  The time at which the risk score was calculated.
  
  calculated_level string Required
  
  Values are Unknown, Low, Moderate, High, or Critical.
  
  calculated_score number(double) Required
  
  The raw numeric value of the given entity's risk score.
  
  calculated_score_norm number(double) Required
  
  The normalized numeric value of the given entity's risk score. Useful for comparing with other entities.
  
  Minimum value is 0, maximum value is 100.
  
  category_1_count integer Required
  
  The number of risk input documents that contributed to the Category 1 score (category_1_score).
  
  category_1_score number(double) Required
  
  The contribution of Category 1 to the overall risk score (calculated_score). Category 1 contains Detection Engine Alerts.
  
  category_2_count integer
  
  category_2_score number(double)
  
  category_3_count integer
  
  category_3_score number(double)
  
  criticality_level string
  
  The criticality level of the asset.
  
  Values are low_impact, medium_impact, high_impact, or extreme_impact.
  
  criticality_modifier number(double)
  
  id_field string Required
  
  The identifier field defining this risk score. Coupled with id_value, uniquely identifies the entity being scored.
  
  id_value string Required
  
  The identifier value defining this risk score. Coupled with id_field, uniquely identifies the entity being scored.
  
  inputs array[object] Required
  
  A list of the highest-risk documents contributing to this risk score. Useful for investigative purposes.
  
  A generic representation of a document contributing to a Risk Score.
  
  Hide inputs attributes Show inputs attributes object
  
  category string Required
  
  The risk category of the risk input document.
  
  contribution_score number(double)
  
  description string Required
  
  A human-readable description of the risk input document.
  
  id string Required
  
  The unique identifier (_id) of the original source document
  
  index string Required
  
  The unique index (_index) of the original source document
  
  risk_score number(double)
  
  The weighted risk score of the risk input document.
  
  Minimum value is 0, maximum value is 100.
  
  timestamp string
  
  The @timestamp of the risk input document.
  
  is_privileged_user boolean
  
  notes array[string] Required
  
  privileged_user_modifier number(double)
  
  Hide attributes Show attributes
  
  @timestamp string(date-time)
  
  asset object
  
  Additional properties are NOT allowed.
  
  Hide asset attributes Show asset attributes object
  
  business_unit string
  
  criticality string
  
  The criticality level of the asset.
  
  Values are low_impact, medium_impact, high_impact, or extreme_impact.
  
  environment string
  
  id string
  
  model string
  
  name string
  
  owner string
  
  serial_number string
  
  vendor string
  
  entity object Required
  
  Additional properties are NOT allowed.
  
  Hide entity attributes Show entity attributes object
  
  attributes object
  
  Additional properties are NOT allowed.
  
  Hide attributes attributes Show attributes attributes object
  
  asset boolean
  
  managed boolean
  
  mfa_enabled boolean
  
  privileged boolean
  
  behaviors object
  
  Additional properties are NOT allowed.
  
  Hide behaviors attributes Show behaviors attributes object
  
  brute_force_victim boolean
  
  new_country_login boolean
  
  used_usb_device boolean
  
  EngineMetadata object
  
  Additional properties are NOT allowed.
  
  Hide EngineMetadata attribute Show EngineMetadata attribute object
  
  Type string Required
  
  id string Required
  
  lifecycle object
  
  Additional properties are NOT allowed.
  
  Hide lifecycle attributes Show lifecycle attributes object
  
  first_seen string(date-time)
  
  last_activity string(date-time)
  
  name string
  
  relationships object
  
  Additional properties are NOT allowed.
  
  Hide relationships attributes Show relationships attributes object
  
  accessed_frequently_by array[string]
  
  accesses_frequently array[string]
  
  communicates_with array[string]
  
  dependent_of array[string]
  
  depends_on array[string]
  
  owned_by array[string]
  
  owns array[string]
  
  supervised_by array[string]
  
  supervises array[string]
  
  risk object
  
  Additional properties are NOT allowed.
  
  Hide risk attributes Show risk attributes object
  
  calculated_level string
  
  Values are Unknown, Low, Moderate, High, or Critical.
  
  calculated_score number(double)
  
  The raw numeric value of the given entity's risk score.
  
  calculated_score_norm number(double)
  
  The normalized numeric value of the given entity's risk score. Useful for comparing with other entities.
  
  Minimum value is 0, maximum value is 100.
  
  source string
  
  sub_type string
  
  type string
- type string Required
  
  Values are user, host, service, or generic.

Responses

200

Entities updated or created
403

Operation on a restricted field
503

Operation on an uninitialized Engine or in a cluster without CRUD API Enabled

PUT /api/entity_store/entities/bulk

curl \
 --request PUT 'https://<KIBANA_URL>/api/entity_store/entities/bulk' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"entities":[{"record":{"@timestamp":"2025-05-04T09:42:00Z","asset":{"business_unit":"string","criticality":"low_impact","environment":"string","id":"string","model":"string","name":"string","owner":"string","serial_number":"string","vendor":"string"},"entity":{"attributes":{"asset":true,"managed":true,"mfa_enabled":true,"privileged":true},"behaviors":{"brute_force_victim":true,"new_country_login":true,"used_usb_device":true},"EngineMetadata":{"Type":"string"},"id":"string","lifecycle":{"first_seen":"2025-05-04T09:42:00Z","last_activity":"2025-05-04T09:42:00Z"},"name":"string","relationships":{"accessed_frequently_by":["string"],"accesses_frequently":["string"],"communicates_with":["string"],"dependent_of":["string"],"depends_on":["string"],"owned_by":["string"],"owns":["string"],"supervised_by":["string"],"supervises":["string"]},"risk":{"calculated_level":"Unknown","calculated_score":42.0,"calculated_score_norm":42.0},"source":"string","sub_type":"string","type":"string"},"event":{"ingested":"2025-05-04T09:42:00Z"},"user":{"domain":["string"],"email":["string"],"full_name":["string"],"hash":["string"],"id":["string"],"name":"string","risk":{"@timestamp":"2017-07-21T17:32:28Z","calculated_level":"Unknown","calculated_score":42.0,"calculated_score_norm":42.0,"category_1_count":42,"category_1_score":42.0,"category_2_count":42,"category_2_score":42.0,"category_3_count":42,"category_3_score":42.0,"criticality_level":"low_impact","criticality_modifier":42.0,"id_field":"host.name","id_value":"example.host","inputs":[{"category":"category_1","contribution_score":42.0,"description":"Generated from Detection Engine Rule: Malware Prevention Alert","id":"91a93376a507e86cfbf282166275b89f9dbdb1f0be6c8103c6ff2909ca8e1a1c","index":".internal.alerts-security.alerts-default-000001","risk_score":42.0,"timestamp":"2017-07-21T17:32:28Z"}],"is_privileged_user":true,"notes":["string"],"privileged_user_modifier":42.0},"roles":["string"]}},"type":"user"}]}'